U.S. patent application number 10/534901 was filed with the patent office on 2006-06-08 for quantum cryptography protocol.
Invention is credited to Antonio Acin, Nicolas Gisin, Gregoire Ribordy, Valerio Scarani.
Application Number | 20060120529 10/534901 |
Document ID | / |
Family ID | 32326347 |
Filed Date | 2006-06-08 |
United States Patent
Application |
20060120529 |
Kind Code |
A1 |
Gisin; Nicolas ; et
al. |
June 8, 2006 |
Quantum cryptography protocol
Abstract
An apparatus and method for implementing a quantum cryptography
system encoding bit values on approximations of elementary quantum
systems with provable and absolute security against photon number
splitting attacks. The emitter encodes the bit values onto pairs of
non-orthogonal states belonging to at least two sets, and such that
there does not exist a single quantum operation allowing to reduce
the overlap of the states in all the sets simultaneously.
Inventors: |
Gisin; Nicolas; (Vessy,
CH) ; Acin; Antonio; (Barcelona, ES) ;
Scarani; Valerio; (Lausanne, CH) ; Ribordy;
Gregoire; (Geneve, CH) |
Correspondence
Address: |
BROWDY AND NEIMARK, P.L.L.C.;624 NINTH STREET, NW
SUITE 300
WASHINGTON
DC
20001-5303
US
|
Family ID: |
32326347 |
Appl. No.: |
10/534901 |
Filed: |
November 12, 2003 |
PCT Filed: |
November 12, 2003 |
PCT NO: |
PCT/CH03/00738 |
371 Date: |
October 7, 2005 |
Current U.S.
Class: |
380/256 |
Current CPC
Class: |
H04L 9/0852
20130101 |
Class at
Publication: |
380/256 |
International
Class: |
H04K 1/00 20060101
H04K001/00 |
Foreign Application Data
Date |
Code |
Application Number |
Nov 15, 2002 |
US |
60426402 |
Claims
1. A method for exchanging a secure cryptographic key for a quantum
cryptography apparatus employing non-ideal elementary quantum
systems, wherein the apparatus comprises an emitter and a receiver,
being connected by a quantum channel and a conventional
communication channel, the emitter encodes each bit at random onto
a pair of non-orthogonal states belonging to at least two suitable
sets, there is no a single quantum operation reducing the overlap
of the quantum states of all sets simultaneously, the emitter sends
the encoded bit along the quantum channel to the receiver, the
receiver randomly chooses the analysis measurement within said
suitable sets, the emitter sends the set information along the
conventional communication channel, the receiver discards all
received encoded bits for which he has chosen a different analysis
measurement incompatible with the set they belonged to and sends an
appropriate information to the emitter along the conventional
communication channel.
2. The method according to claim 1, wherein in the step of the
emitter sending an encoded bit along the quantum channel to the
receiver weak coherent states are exchanged between the emitter and
the receiver.
3. The method according to claim 2, wherein the weak coherent
states are laser pulses with an average photon number per pulse of
less than 0.5 photons, preferably less than 0.1 photons.
4. The method according to claim 1, wherein the emitter is using
two sets A={|0.sub.a>,|1.sub.a>} and
B={|0.sub.b>,|1.sub.b>}, chosen such that
|<0.sub.a|1.sub.a>|=.eta..sub.a.noteq.0,
|<0.sub.b|1.sub.b>|=.eta..sub.b.noteq.0, and wherein there is
no single quantum operation reducing the overlap of the quantum
states of all sets simultaneously, and the receiver randomly
chooses the analysis measurement between F A = 1 1 + .eta. .times.
( + x .times. 1 a .perp. + - x .times. 0 a .perp. ) .times. .times.
and .times. ##EQU5## F B = 1 1 + .eta. .times. ( + x .times. 1 b
.perp. + - x .times. 0 b .perp. ) .times. ##EQU5.2## followed by a
Von Neumann measurement distinguishing between
|+x>and|-x>.
5. The method according to claim 1, wherein after a number of
encoded bits has been transmitted, a protocol step is performed,
within which emitter and receiver agree on a body of cryptographic
key information which is shared between emitter and receiver, but
secret from all other units who may be monitoring the quantum
channel and the public channel, or else conclude that the encoded
bits can not be safely used as cryptographic key information.
6. A method for exchanging a secure cryptographic key for a quantum
cryptography system employing non-ideal elementary quantum states,
where the key values are encoded on at least two sets of
non-orthogonal quantum states characterized by the fact that it is
not possible to find a single quantum operation, whether
probabilistic or not, that reduces the overlap of the states of all
sets simultaneously.
7. A quantum cryptography system employing non-ideal elementary
quantum states to exchange secure cryptographic key information and
comprising a source of non-ideal elementary quantum states, an
emitter and a receiver, being connected by a quantum channel and a
conventional communication channel, the emitter comprising or
connected to a random number generator allowing to prepare random
non-orthogonal quantum states belonging to at least two suitable
sets, wherein there is no single quantum operation reducing the
overlap of the quantum states of all sets simultaneously, the
receiver comprising or connected to a random number generator
allowing to choose an analysis measurement for said quantum states,
the emitter being able to send the encoded bit along the quantum
channel to the receiver and being able to send the set information
along the conventional communication channel, the receiver being
able to discard all received encoded bits for which he has chosen a
different analysis measurement and to send an appropriate
information to the emitter along the conventional communication
channel.
8. The quantum cryptography system according to claim 7, wherein
said source is a laser source and the emitter comprises a
preparation device sending laser pulses with an average photon
number per pulse of less than 0.5 photons, preferably less than 0.1
photons.
9. The quantum cryptography system according to claim 7, wherein
emitter and receiver both comprise processing units being able to
perform, after a number of encoded bits had been transmitted, a
protocol step, within which emitter and receiver agree on a body of
cryptographic key information which is shared between emitter and
receiver, but secret from all other units who may be monitoring the
quantum channel and the public channel, or else conclude that the
encoded bits can not be safely used as cryptographic key
information.
10. The method according to claim 1, wherein for each bit, the
emitter is randomly using one of the four states |.+-.x> or
|.+-.y> with the convention that |.+-.x> code for 0 and
|.+-.y> code for 1, and sends it along the quantum channel to
the receiver, the receiver randomly measures .sigma..sub.x or
.sigma..sub.y, the emitter announces one of the four pairs of
non-orthogonal states
.sub..omega.,.omega.'={|.omega..sub.x>,|.omega.'.sub.y> with
w,w'.epsilon.{+,- and such that one of the states is the one which
he has sent by sending an appropriate message along the
conventional communication channel, the receiver discards all
received encoded bits for which the measurement result he has
obtained is possible for both states disclosed by the emitter and
sends an appropriate information to the emitter along the
conventional communication channel, the receiver deduces the state
actually sent by the emitter and adds the corresponding bit to the
key.
Description
BACKGROUND OF THE INVENTION
[0001] 1. Field of the Invention
[0002] This invention relates generally to the field of quantum
cryptography, and more particularly to a method for exchanging a
key with guaranteed security using systems vulnerable to photon
number splitting (PNS) attacks, i.e. a quantum cryptography
protocol robust against PNS attacks.
[0003] 2. Discussion of Prior Art
[0004] If two users possess shared random secret information (below
the "key"), they can achieve, with provable security, two of the
goals of cryptography: 1) making their messages unintelligible to
an eavesdropper and 2) distinguishing legitimate messages from
forged or altered ones. A one-time pad cryptographic algorithm
achieves the first goal, while Wegman-Carter authentication
achieves the second one. Unfortunately both of these cryptographic
schemes consume key material and render it unfit for use. It is
thus necessary for the two parties wishing to protect the messages
they exchange with either or both of these cryptographic techniques
to devise a way to exchange fresh key material. The first
possibility is for one party to generate the key and to inscribe it
on a physical medium (disc, cd-rom, rom) before passing it to the
second party. The problem with this approach is that the security
of the key depends on the fact that it has been protected during
its entire lifetime, from its generation to its use, until it is
finally discarded. In addition, it is very unpractical and
tedious.
[0005] Because of these difficulties, in many applications one
resorts instead to purely mathematical methods allowing two parties
to agree on a shared secret over an insecure communication channel.
Unfortunately, all such mathematical methods for key agreement rest
upon unproven assumptions, such as the difficulty of factoring
large integers. Their security is thus only conditional and
questionable. Future mathematical developments may prove them
totally insecure.
[0006] Quantum cryptography (QC) is the only method allowing the
distribution of a secret key between two distant parties, the
emitter and the receiver, [1] with a provable absolute security.
Both parties encode the key on elementary quantum systems, such as
photons, which they exchange over a quantum channel, such as an
optical fiber. The security of this method comes from the
well-known fact that the measurement of an unknown quantum state
modifies the state itself: a spy eavesdropping on the quantum
channel cannot get information on the key without introducing
errors in the key exchanged between the emitter and the receiver.
In equivalent terms, QC is secure because of the no-cloning theorem
of quantum mechanics: a spy cannot duplicate the transmitted
quantum system and forward a perfect copy to the receiver.
[0007] Several QC protocols exist. These protocols describe how the
bit values are encoded on quantum states and how the emitter and
the receiver cooperate to produce a secret key. The most commonly
used of these protocols, which was also the first one to be
invented, is known as the Bennett-Brassard 84 protocol (BB84) [2].
The emitter encodes each bit on a two-level quantum system either
as an eigenstate of .sigma..sub.x (I|+x> coding for "0" and
|-x> coding for "1") or as an eigenstate of .sigma..sub.y
(|+y> or |-y>, with the same convention). The quantum system
is sent to the receiver, who measures either .sigma..sub.x or
.sigma..sub.y. After the exchange of a large number of quantum
systems, the emitter and the receiver perform a procedure called
basis reconciliation. The emitter announces to the receiver, over a
conventional and public communication channel the basis x or y
(eigenstate of .sigma..sub.x or .sigma..sub.y) in which each
quantum system was prepared. When the receiver has used the same
basis as the emitter for his measurement, he knows that the bit
value he has measured must be the one which was sent over by the
emitter. He indicates publicly for which quantum systems this
condition is fulfilled. Measurements for which the wrong basis was
used are simply discarded. In the absence of a spy, the sequence of
bits shared is error free. Although a spy who wants to get some
information about the sequence of bits that is being exchanged can
choose between several attacks, the laws of quantum physics
guarantee that he will not be able to do so without introducing a
noticeable perturbation in the key.
[0008] Other protocols--like the Bennett 92 (B92) [3]--have been
proposed.
[0009] In practice, the apparatuses are imperfect and also
introduce some errors in the bit sequence. In order to still allow
the production of a secret key, the basis reconciliation part of
the protocol is complemented by other steps. This whole procedure
is called key distillation. The emitter and the receiver check the
perturbation level, also know as quantum bit error rate (QBER), on
a sample of the bit sequence in order to assess the secrecy of the
transmission. In principle, errors should be encountered only in
the presence of an eavesdropper. In practice however, because of
the imperfections of the apparatus, a non-zero error probability
can also always be observed. Provided this probability is not too
large, it does not prevent the distillation of a secure key. These
errors can indeed be corrected, before the two parties apply a so
called privacy amplification algorithm that will reduce the
information quantity of the spy to an arbitrarily small level.
[0010] In the last years, several demonstrations of QC systems have
been implemented using photons as the information carriers and
optical fibers as quantum channels. While the original proposal
called for the use of single photons as elementary quantum systems
to encode the key, their generation is difficult and good
single-photon sources do not exist yet. Instead, most
implementations have relied on the exchange between the emitter and
the receiver of weak coherent states, such as weak laser pulses, as
approximations to ideal elementary quantum systems. Each pulse is a
priori in a coherent state |.mu.e.sup.i.theta.> of weak
intensity (typically the average photon number per pulse
.mu..apprxeq.0.1 photons). However since the phase reference of the
emitter is not available to the receiver or the spy, they see a
mixed state, which can be re-written as a mixture of Fock states,
.SIGMA..sub.ll.rho..sub.ll|n><n| where the number n of
photons is distributed according to Poissonian statistics with mean
.mu. and .rho..sub.ll=e.sup.-.mu..mu..sup.ll/n!. QC with weak
pulses can be re-interpreted as follows: a fraction .rho..sub.1 of
the pulses sent by the emitter contain exactly one photon, a
fraction .rho..sub.2 two photons, and so on, while a fraction
.rho..sub.0 of the pulses are simply empty and do not contribute to
the key transmission. Consequently, in QC apparatuses employing
weak pulses, a rather important fraction of the non-empty pulses
actually contain more than one photon. The spy is then not limited
any longer by the no-cloning theorem. He can simply keep some of
the photons while letting the others go to the receiver. Such an
attack is called photon-number splitting (PNS) attack. If we assume
that the only constraints limiting the technological power of the
spy are the laws of physics, the following attack is in principle
possible: (1) for each pulse, the spy counts the number of photons,
using a photon number quantum non-demolition measurement; (2) he
blocks the single photon pulses, while keeping one photon of the
multi-photon pulses in a quantum memory and forwarding the
remaining photons to the receiver using a perfectly transparent
quantum channel; (3) he waits until the emitter and the receiver
publicly reveal the bases used, and correspondingly measures the
photons stored in his quantum memory: he must discriminate between
two orthogonal states, and this can be done deterministically. In
this way, he obtains full information on the key, which implies
that no procedure allows to distillate a secret key for the
legitimate users. In addition, the spy does not introduce any
discrepancies in the bit sequences of the emitter and the receiver.
The only constraint on PNS attacks is that the presence of the spy
should remain undetected. In particular, he must ensure that the
rate of photons received by the receiver is not modified.
[0011] In the absence of the spy, the raw rate of photons that
reach the receiver is given by:
R.sub.Receiver(.delta.)=.mu.10.sup.-.delta./10 [photons/pulse] (1)
where .delta.=.alpha. L is the total attenuation in dB of the
quantum channel of length L. Thus, the PNS attack can be performed
on all passing pulses only when .delta..gtoreq..delta..sub.c with
R.sub.Receiver(.delta..sub.c).apprxeq..rho..sub.2: the losses that
the receiver expects because of the fiber attenuation are equal to
those introduced by the action of the spy storing and blocking
photons. For shorter distances, the spy sends a fraction q of the
pulses on her perfectly transparent channel without doing anything
and performs the PNS attack on the remaining 1-q fraction of the
pulses. The receiver measures a raw detection rate
R.sub.Receiver|Spy(q)=q.mu.+(1-q)B[photons/pulse] (2) where
B=.SIGMA..sub.ll.gtoreq.2.rho..sub.ll(n-1). The parameter q is
chosen so that R.sub.Receiver|spy(q)=R.sub.Receiver(.delta.). The
information the spy gets on a bit sent by the emitter is 0 when he
does nothing, and 1 when he perform the PNS attack, provided of
course that the receiver has received at least one photon: I Spy
.function. ( q ) = ( 1 - q ) .times. S q + ( 1 - q ) .times. S
.times. [ bits .times. / .times. pulse ] ( 3 ) ##EQU1## with
S=.SIGMA..sub.ll.gtoreq.2.rho..sub.n. The critical length of the
quantum channel is determined by the condition
R.sub.Receiver(.delta..sub.c)=R.sub.Receiver|Spy (q=0). For an
average photon number .mu.=0.1, one finds .delta..sub.c=13 [dB],
which corresponds to a distance of the order of 50 km (.alpha.=0.25
[dB/km])
[0012] Although the PNS attacks are far beyond today's technology,
their consequences on the security of a QC system relying on weak
coherent states is devastating, when they are included in the
security analysis [4]. The extreme vulnerability of the BB84
protocol to PNS attacks is due to the fact that whenever the spy
can keep one photon, he gets all the information, since he has to
discriminate between two eigenstates of a known Hermitian operator,
which is allowed by the laws of quantum physics.
SUMMARY OF THE INVENTION
[0013] The primary object of the invention is to allow to exchange
a key featuring absolute security with a quantum cryptography
apparatus using approximations, such as weak coherent states, to
ideal elementary quantum systems.
[0014] It covers a new class of protocols for QC in which the
emitter encodes each bit onto a pair of non-orthogonal states
belonging to at least two suitable sets, which allow to neutralize
PNS attacks, and lead thus to a secure implementations of QC with
weak coherent states over longer distances than present
protocols.
[0015] The apparatus of the emitter (see FIG. 1) consists of a
source of quantum states and a preparation device. Both of these
elements are controlled by a processing unit. A random number
generator is connected to this processing unit, in order to allow
random preparation of the quantum states. After preparation, these
states are sent along a quantum channel to the receiver. The
receiver consists of an analysis device followed by a detection
unit, both controlled by a processing unit. A random number
generator allows the processing unit to randomly choose the
analysis basis. The emitter and the receiver are connected by a
conventional communication channel.
[0016] The emitter encodes each bit in the state of an elementary
quantum system, belonging to either of the two sets
A={|0.sub.a>,|1.sub.a.ltoreq.} or B={|0.sub.b>,|1.sub.b>},
chosen such that |<0.sub.a|1.sub.a>|=.eta..sub.a.noteq.0,
|<0.sub.b|1.sub.b>|=.eta..sub.b.noteq.0, and that there does
not exist a single quantum operation, whether probabilistic or not,
reducing simultaneously the overlaps of the states within all the
sets (see FIG. 2, left).
[0017] In order to obtain correlated results with those of the
emitter, the receiver has to distinguish between two non orthogonal
states. He can do so by implementing in his analysis device a
generalized measurement that unambiguously discriminates between
these two states at the expense of sometime getting an inconclusive
result. Such a measurement can be realized by a selective
filtering, whose effect is not the same on all states, followed by
a von Neumann measurement on the states that pass the filter. In
the example of FIG. 2, this filter, discriminating between the
elements of A, is given by F A = 1 1 + .eta. .times. ( + x .times.
1 a .perp. + - x .times. 0 a .perp. ) , ##EQU2## where
|.psi..sup..perp.> is the state orthogonal to |.psi.>. A
fraction 1-.eta. of the states of set A passes this filter. For the
states that do, the von Neumann measurement of .sigma..sub.x allows
their discrimination. The emitter randomly applies on each quantum
system one of the two filters F.sub.A or F.sub.B, and measures
.sigma..sub.x on the outcome. Subsequently, the emitter discloses
for each bit to which set A or B the associated quantum system
belonged. The receiver then discards all the items in which he has
chosen the wrong filter and informs the emitter.
[0018] One particular example of a protocol that belongs to this
new class amounts to a simple modification of the key distillation
procedure applied to bits produced by an apparatus normally used
with the BB84 protocol.
[0019] The emitter sends randomly one of the four states |.+-.x>
or |.+-.y>. He applies the convention that |.+-.x> code for 0
and |.+-.y> code for 1. For a given state, the receiver measures
randomly .nu..sub.x or .nu..sub.y, which constitutes the most
effective unambiguous way to discriminate between these states.
After the exchange of a sufficiently large number of states, the
emitter announces publicly one of the four pairs of non-orthogonal
states
A.sub..omega.,.omega.'={|.omega..sub.x>,|.omega.'.sub.y>},
with .omega., .omega.'.epsilon.{+, -}. Within each set, the overlap
of the two states is .eta. = 1 2 . ##EQU3## Let us assume for
example that a |+x> was sent by the emitter, and that he
subsequently announced the set A.sub.+,+. If the receiver has
measured .sigma..sub.x, which happens with 50% probability, he
obtains with certainty the result +1. However, since this outcome
is possible for both states in the disclosed set A.sub.++, it must
be discarded. If the receiver has measured .sigma..sub.y and
obtained +1, again he cannot decide which state was sent by the
emitter. However if he has measured .sigma..sub.y and obtained -1,
then he knows that the emitter must have sent |+x> and adds a 0
to his key.
[0020] The other steps of key distillation (QBER estimate, error
correction and privacy amplification) remain unchanged.
[0021] Other objects and advantages of the present invention will
become apparent from the following descriptions, taken in
connection with the accompanying drawings, wherein, by way of
illustration and example, an embodiment of the present invention is
disclosed.
BRIEF DESCRIPTION OF THE DRAWINGS
[0022] Embodiments of the invention will now be described, by way
of example only, with reference to the accompanying drawings in
which:
[0023] FIG. 1 schematically illustrates one embodiment of the
invention, and
[0024] FIG. 2 shows an example of two sets of non-orthogonal states
used in the new class of QC protocols, the four states lying in a
plane of the Poincare sphere passing through its center. Effect of
the filter F.sub.A.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
[0025] Detailed descriptions of the preferred embodiment are
provided herein. It is to be understood, however, that the present
invention may be embodied in various forms. Therefore, specific
details disclosed herein are not to be interpreted as limiting, but
rather as a basis for the claims and as a representative basis for
teaching one skilled in the art to employ the present invention in
virtually any appropriately detailed system, structure or
manner.
[0026] Referring to FIG. 1, one embodiment of the invention
comprises an emitter 10 and a receiver 40 connected by a quantum
channel 20 and a conventional channel 30. The emitter consists of a
quantum state source 11 and a preparation device 12 controlled by a
processing unit 13. A random number generator 14 is connected to
the processing unit 13. The receiver 40 consists of an analysis
device 41 and a detection unit 42 controlled by a processing unit
43. A random number generator 44 is connected to the processing
unit 43.
[0027] The emitter generates a quantum state using his source 11
and encodes, using the preparation device 12, the value of each bit
on this quantum state belonging to either of the two sets
A={|0.sub.a>,|1.sub.a>} or B={|0.sub.b>}, chosen such that
|<0.sub.a|1.sub.a>|=.eta..sub.a.noteq.0,
|<0.sub.b|1.sub.b>|=.eta..sub.b.noteq.0, and that there does
not exist a single quantum operation, whether probabilistic or not,
reducing simultaneously the overlaps of the states within all the
sets (see FIG. 2, left). The states are then sent to the receiver
on the quantum channel 20.
[0028] The receiver uses his analysis device 41 to perform a
generalized measurement that unambiguously discriminates between
these two states at the expense of sometime getting an inconclusive
result. Such a measurement is realized by a selective filtering,
whose effect is not the same on all states, followed by a von
Neumann measurement on the states that pass the filter. An example
of such a filter, discriminating between the elements of A is given
by F A = 1 1 + .eta. .times. ( + x .times. 1 a .perp. + - x .times.
0 a .perp. ) , ##EQU4## where |.psi..sup..perp.> is the state
orthogonal to |.psi.>. A fraction 1-.eta. of the states of set A
passes this filter. For the states that do, the von Neumann
measurement of .sigma..sub.x allows their discrimination. The
detection unit 42 records the outcome of the generalized
measurement. The processing unit of the emitter 43 randomly applies
on each qubit one of the two filters F.sub.A or F.sub.B, and
measures .sigma..sub.x on the outcome. Subsequently, the emitter
discloses for each bit the set A or B. The receiver then discards
all the items in which he has chosen the wrong filter and informs
the emitter through messages on the conventional channel 30.
[0029] The emitter and the receiver follow then the procedure of
key distillation comprising the steps of QBER estimate, error
correction and privacy amplification.
[0030] This new class of protocols is straightforwardly generalized
to the use of quantum systems comprising more than two levels.
[0031] It can also be generalized to the cases where more than two
sets of states are used.
[0032] While the invention has been described in connection with a
preferred embodiment, it is not intended to limit the scope of the
invention to the particular form set forth, but on the contrary, it
is intended to cover such alternatives, modifications, and
equivalents as may be included within the spirit and scope of the
invention as defined by the appended claims.
REFERENCES
[0033] [1] Nicolas Gisin, Gregoire Ribordy, Wolfgang Tittel, and
Hugo Zbinden, "Quantum Cryptography", Rev. of Mod. Phys. 74,
(2002). [0034] [2] Charles Bennett and Gilles Brassard, in
Proceedings IEEE Int. Conf. on Computers, Systems and Signal
Processing, Bangalore, India (IEEE, New York, 1984), pp. 175-179.
[0035] [3] Charles Bennett, Phys. Rev. Lett. 68, 3121 (1992).
[0036] [4] Gilles Brassard, Norbert Luitkenhaus, Tal Mor, and Barry
C. Sanders, Phys. Rev. Lett. 85, 1330 (2000).
* * * * *